Skip to main content

How I scanned dev.to APIs for vulnerabilities





I recently saw the dev.to published REST APIs.
https://developers.forem.com/api



I'm a big fan of dev.to, I often publish and read articles on it, so it made me curious, and I thought of scanning the Dev.to REST API for vulnerabilities. I used this free and web-based API security tool for the job.
https://apisec-inc.github.io/pentest/


I uploaded their OpenAPI Spec file here and submitted it:

https://raw.githubusercontent.com/apisec-inc/pentest/main/OAS/plugin-redoc-0.yaml




Here are the scan results

Scan result


Surprisingly it reported 8 issues. Here is the list:


Vulnerability report


I analyzed the dev.to web UI to find out what was happening. I quickly figured out all the open endpoints were also open on the web UI and were left public by design so the unauthenticated users can view the dev.to articles, videos, and their associated tags, categories, and authors public images. All other functionality like content engagement, likes, comments, follow, create/manage articles, etc., requires the user to be authenticated.


Conclusion: The free web tool did a decent job of identifying unauthenticated endpoints. But most of the reported endpoints were open by design. Of course, there was no way the tool could have guessed the business reasoning behind leaving those endpoints public.

Here is the free tool link: https://apisec-inc.github.io/pentest/



Comments

Post a Comment

Popular posts from this blog

Access multiple Databases in JPA

According to JPA specification we can define multiple "persistence-unit" elements (i.e. like below) in persistence.xml file and can easily refer them inside Dao layers as this. public class PolarDaoImpl {     @PersistenceContext(unitName="PolarPU")     protected EntityManager entityManager; -- } public class BearDaoImpl {     @PersistenceContext(unitName="BearPU")     protected EntityManager entityManager; -- } Checkout sample persistence.xml <?xml version="1.0" encoding="UTF-8"?> <persistence version="2.0" xmlns="http://java.sun.com/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">     <!-- Database 1 -->     <persistence-unit name="PolarPU" transaction-type="RESOURCE_LOCAL">        ...
3 comments
Read more

Validating CSV Files

What is CsvValidator ?   A Java framework which validates any CSV files something similar to XML validation using XSD. Why should I use this ?   You don't have to use this and in fact its easy to write something your own and also checkout its source code for reference. Why did I write this ?   Some of our projects integrate with third party application which exchanges information in CSV files so I thought of writing a generic validator which can be hooked in multiple projects or can be used by QA for integration testing. What is the license clause ?   GNU GPL v2 Are there any JUnit test cases for me checkout ?  Yes,  source How to integrate in my existing project ? Just add the Jar which can be downloaded from here  CsvValidator.jar  and you are good. Instantiate  CsvValidator c onstructor which takes these 3 arguements          // filename is the the file to be validated and here ...
7 comments
Read more
               Top 10 Apps missing in HP TouchPad Without these Apps my experience is only limited to browsing web pages, though WebOS is really better multitasking device than iOS but without commonly used Apps it's only limited. 1. Native YouTube App   - You can't just use finger to do everything on 60% YouTube.com                       2. Netflix - I love to do multitasking, with Netflix running and ability to do other stuff     3 Facebook - Most of the people always like to be connected all the time here   My Mistake Skype Video is working     4  Skype - Ability to do voice and video chat, and without this I need to keep my Mac on.   5 Google Talk - Ability to do voice, video chat...
16 comments
Read more